CWE-312
AllowedCleartext Storage of Sensitive Information
Abstraction: Base · Status: Draft
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
1017 vulnerabilities reference this CWE, most recent first.
GHSA-QRGP-9JWV-233W
Vulnerability from github – Published: 2023-02-15 12:30 – Updated: 2023-02-24 21:30A Cleartext Storage of Sensitive Information vulnerability in suppportutils of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 15 SP3 allows attackers that get access to the support logs to gain knowledge of the stored credentials This issue affects: SUSE Linux Enterprise Server 12 supportutils version 3.0.10-95.51.1CWE-312: Cleartext Storage of Sensitive Information and prior versions. SUSE Linux Enterprise Server 15 supportutils version 3.1.21-150000.5.44.1 and prior versions. SUSE Linux Enterprise Server 15 SP3 supportutils version 3.1.21-150300.7.35.15.1 and prior versions.
{
"affected": [],
"aliases": [
"CVE-2022-45154"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-15T10:15:00Z",
"severity": "MODERATE"
},
"details": "A Cleartext Storage of Sensitive Information vulnerability in suppportutils of SUSE Linux Enterprise Server 12, SUSE Linux Enterprise Server 15, SUSE Linux Enterprise Server 15 SP3 allows attackers that get access to the support logs to gain knowledge of the stored credentials This issue affects: SUSE Linux Enterprise Server 12 supportutils version 3.0.10-95.51.1CWE-312: Cleartext Storage of Sensitive Information and prior versions. SUSE Linux Enterprise Server 15 supportutils version 3.1.21-150000.5.44.1 and prior versions. SUSE Linux Enterprise Server 15 SP3 supportutils version 3.1.21-150300.7.35.15.1 and prior versions.",
"id": "GHSA-qrgp-9jwv-233w",
"modified": "2023-02-24T21:30:19Z",
"published": "2023-02-15T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45154"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1207598"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QVPJ-W7XJ-R6W9
Vulnerability from github – Published: 2024-06-02 22:30 – Updated: 2024-06-02 22:30Users registering via the user:register_form tag will have their password confirmation stored in plain text in their user file.
Impact
This only affects sites matching all of the following conditions:
- Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week)
- Using the user:register_form tag.
- Using file-based user accounts. (Does not affect users stored in a database.)
- Has users that have registered during that time period. (Existing users are not affected.)
The password is only visible to users that have access to read user yaml files, typically developers of the application itself.
Patches
The issue has been patched in 5.6.2, however any users registered during that time period and using the affected version range will still have the the password_confirmation value in their yaml files.
We recommend that affected users have their password reset. The following query can be entered into php artisan tinker and will output a list of affected emails:
Statamic\Facades\User::query()->whereNotNull('password_confirmation')->get()->map->email
The following can be entered into tinker and will clear both password_confirmation as well as their existing password. They will be required to reset their password before their next login attempt.
Statamic\Facades\User::query()
->whereNotNull('password_confirmation')->get()
->each(fn ($user) => $user->remove('password_confirmation')->passwordHash(null)->save());
References
If you are committing user files to a public git repo, you may consider clearing the sensitive data from the git history. You can use the following links for details. - https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository - https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "statamic/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.3.0"
},
{
"fixed": "5.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36119"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2024-06-02T22:30:45Z",
"nvd_published_at": "2024-05-30T21:15:09Z",
"severity": "LOW"
},
"details": "Users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file.\n\n### Impact\nThis only affects sites matching **all** of the following conditions:\n- Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week)\n- Using the `user:register_form` tag.\n- Using file-based user accounts. (Does not affect users stored in a database.)\n- Has users that have registered during that time period. (Existing users are not affected.)\n\nThe password is only visible to users that have access to read user yaml files, typically developers of the application itself.\n\n### Patches\nThe issue has been patched in 5.6.2, however any users registered during that time period and using the affected version range will still have the the `password_confirmation` value in their yaml files.\n\nWe recommend that affected users have their password reset. The following query can be entered into `php artisan tinker` and will output a list of affected emails:\n\n```php\nStatamic\\Facades\\User::query()-\u003ewhereNotNull(\u0027password_confirmation\u0027)-\u003eget()-\u003emap-\u003eemail\n```\n\nThe following can be entered into `tinker` and will clear both password_confirmation as well as their existing password. They will be required to reset their password before their next login attempt.\n\n```php\nStatamic\\Facades\\User::query()\n -\u003ewhereNotNull(\u0027password_confirmation\u0027)-\u003eget()\n -\u003eeach(fn ($user) =\u003e $user-\u003eremove(\u0027password_confirmation\u0027)-\u003epasswordHash(null)-\u003esave());\n```\n\n### References\nIf you are committing user files to a public git repo, you may consider clearing the sensitive data from the git history. You can use the following links for details.\n- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository\n- https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5",
"id": "GHSA-qvpj-w7xj-r6w9",
"modified": "2024-06-02T22:30:45Z",
"published": "2024-06-02T22:30:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/statamic/cms/security/advisories/GHSA-qvpj-w7xj-r6w9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36119"
},
{
"type": "WEB",
"url": "https://github.com/statamic/cms/commit/0b804306c96c99b81755d5bd02df87ddf392853e"
},
{
"type": "WEB",
"url": "https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository"
},
{
"type": "PACKAGE",
"url": "https://github.com/statamic/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Password confirmation stored in plain text via registration form in statamic/cms"
}
GHSA-QVX5-9C8X-GMXG
Vulnerability from github – Published: 2026-02-04 00:30 – Updated: 2026-02-04 00:30IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user.
{
"affected": [],
"aliases": [
"CVE-2025-33081"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-03T23:16:05Z",
"severity": "MODERATE"
},
"details": "IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user.",
"id": "GHSA-qvx5-9c8x-gmxg",
"modified": "2026-02-04T00:30:29Z",
"published": "2026-02-04T00:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33081"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7257565"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QVX9-7C6J-G2HG
Vulnerability from github – Published: 2022-04-30 18:21 – Updated: 2024-02-10 03:30phpRank 1.8 stores the administrative password in plaintext on the server and in the "ap" cookie, which allows remote attackers to retrieve the administrative password.
{
"affected": [],
"aliases": [
"CVE-2002-1800"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "phpRank 1.8 stores the administrative password in plaintext on the server and in the \"ap\" cookie, which allows remote attackers to retrieve the administrative password.",
"id": "GHSA-qvx9-7c6j-g2hg",
"modified": "2024-02-10T03:30:17Z",
"published": "2022-04-30T18:21:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1800"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-10/0148.html"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/10352.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/5947"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QW3M-JFHW-49PG
Vulnerability from github – Published: 2023-08-31 00:30 – Updated: 2025-02-13 18:31The firmwaredownload command on Brocade Fabric OS v9.2.0 could log the FTP/SFTP/SCP server password in clear text in the SupportSave file when performing a downgrade from Fabric OS v9.2.0 to any earlier version of Fabric OS.
{
"affected": [],
"aliases": [
"CVE-2023-3489"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-31T00:15:07Z",
"severity": "HIGH"
},
"details": "The \nfirmwaredownload command on Brocade Fabric OS v9.2.0 could log the \nFTP/SFTP/SCP server password in clear text in the SupportSave file when \nperforming a downgrade from Fabric OS v9.2.0 to any earlier version of \nFabric OS.",
"id": "GHSA-qw3m-jfhw-49pg",
"modified": "2025-02-13T18:31:51Z",
"published": "2023-08-31T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3489"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231124-0003"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/22510"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QWVJ-HF35-5G52
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2022-05-24 19:08IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 198299
{
"affected": [],
"aliases": [
"CVE-2021-20510"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-15T18:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Security Verify Access Docker 10.0.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 198299",
"id": "GHSA-qwvj-hf35-5g52",
"modified": "2022-05-24T19:08:09Z",
"published": "2022-05-24T19:08:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20510"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/198299"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6471895"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QX3W-4864-94CH
Vulnerability from github – Published: 2021-03-23 01:53 – Updated: 2021-03-29 17:59Problem
User session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.
Solution
Update to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.
Credits
Thanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core & security team members Benni Mack & Oliver Hader who fixed the issue.
References
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.56"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.0"
},
{
"fixed": "6.2.57"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.6.50"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.6.51"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 8.7.39"
},
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.0.0"
},
{
"fixed": "8.7.40"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.25"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.4.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.1.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "typo3/cms"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.5.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21339"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2021-03-23T01:41:13Z",
"nvd_published_at": "2021-03-23T02:15:00Z",
"severity": "MODERATE"
},
"details": "\n### Problem\nUser session identifiers were stored in cleartext - without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance SQL injection in any other component of the system.\n\n### Solution\nUpdate to TYPO3 versions 6.2.57, 7.6.51, 8.7.40, 9.5.25, 10.4.14, 11.1.1 that fix the problem described.\n\n### Credits\nThanks to TYPO3 security team member Oliver Hader who reported this issue and to TYPO3 core \u0026 security team members Benni Mack \u0026 Oliver Hader who fixed the issue.\n\n### References\n* [TYPO3-CORE-SA-2021-006](https://typo3.org/security/advisory/typo3-core-sa-2021-006)",
"id": "GHSA-qx3w-4864-94ch",
"modified": "2021-03-29T17:59:09Z",
"published": "2021-03-23T01:53:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/TYPO3/TYPO3.CMS/security/advisories/GHSA-qx3w-4864-94ch"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21339"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms-core/CVE-2021-21339.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2021-21339.yaml"
},
{
"type": "WEB",
"url": "https://packagist.org/packages/typo3/cms-core"
},
{
"type": "WEB",
"url": "https://typo3.org/security/advisory/typo3-core-sa-2021-006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cleartext storage of session identifier"
}
GHSA-QXV9-H435-QXG6
Vulnerability from github – Published: 2026-03-03 03:32 – Updated: 2026-03-03 03:32Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator's mobile device to extract the session token and exploit access for a limited duration.
This issue affects Command Centre Mobile Client versions prior to 9.40.123.
{
"affected": [],
"aliases": [
"CVE-2025-47147"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-03T03:15:54Z",
"severity": "MODERATE"
},
"details": "Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client on Android and iOS could allow an attacker with access to a logged-in Operator\u0027s mobile device to extract the session token and exploit access for a limited duration. \n\n \n\nThis issue affects Command Centre Mobile Client versions prior to 9.40.123.",
"id": "GHSA-qxv9-h435-qxg6",
"modified": "2026-03-03T03:32:41Z",
"published": "2026-03-03T03:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47147"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2025-47147"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2FF-GW5R-6X3Q
Vulnerability from github – Published: 2022-10-19 19:00 – Updated: 2022-10-21 19:01A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.
{
"affected": [],
"aliases": [
"CVE-2022-2805"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in ovirt-engine, which leads to the logging of plaintext passwords in the log file when using otapi-style. This flaw allows an attacker with sufficient privileges to read the log file, leading to confidentiality loss.",
"id": "GHSA-r2ff-gw5r-6x3q",
"modified": "2022-10-21T19:01:15Z",
"published": "2022-10-19T19:00:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2805"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-2805"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2079545"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R2H4-4C8X-933J
Vulnerability from github – Published: 2025-06-27 03:30 – Updated: 2025-10-24 18:30Flock Safety Gunshot Detection devices before 1.3 have cleartext storage of code.
{
"affected": [],
"aliases": [
"CVE-2025-47820"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-27T02:15:23Z",
"severity": "LOW"
},
"details": "Flock Safety Gunshot Detection devices before 1.3 have cleartext storage of code.",
"id": "GHSA-r2h4-4c8x-933j",
"modified": "2025-10-24T18:30:57Z",
"published": "2025-06-27T03:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47820"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/06/19/bird-hunting-season-security-research-on-flock-safety-anti-crime-systems"
},
{
"type": "WEB",
"url": "https://gainsec.com/2025/06/19/plucked-and-rooted-device-1-debug-shell-on-flock-safetys-raven-gunshot-detection-system"
},
{
"type": "WEB",
"url": "https://gainsec.com/wp-content/uploads/2025/06/flock-safety-researcher-summary.pdf"
},
{
"type": "WEB",
"url": "https://www.flocksafety.com/articles/gunshot-detection-and-license-plate-reader-security-alert"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
When storing data in the cloud (e.g., S3 buckets, Azure blobs, Google Cloud Storage, etc.), use the provider's controls to encrypt the data at rest. [REF-1297] [REF-1299] [REF-1301]
Mitigation
In some systems/environments such as cloud, the use of "double encryption" (at both the software and hardware layer) might be required, and the developer might be solely responsible for both layers, instead of shared responsibility with the administrator of the broader system/environment.
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.